1. Technological Field
The present application relates generally to fraud control in telecommunications systems and, in particular, to suppressing the generation of alerts associated with fraud control thresholds in a long distance telecommunications network.
2. Description of the Related Art
Phone fraud is an ever-increasing problem in this country. This is a greater problem for long distance carriers (also known as Inter-Exchange Carriers IXCs) rather than Local Exchange Carriers (LECs), because the costs for fraudulent long distance calls are greater than fraudulent local calls. Since most fraudulent methods target the customers of long distance carriers, the long distance carriers often assume the majority of the liability for these calls in order to maintain good relations with customers and potential customers. In order to cope with these costs, IXCs have developed various techniques of fraud control.
The techniques of fraud control have been shaped by the fraudulent methods they are designed to defeat. Simply put, the most common technique of fraud control is to detect the symptoms of fraudulent behavior. This cannot be accomplished on a per call basis, but rather on the statistical basis of network traffic flow.
For example, as shown in FIG. 1, one type of fraud is customer premise equipment (CPE) fraud, where a hacker 101 obtains access to a Private Branch Exchange (PBX) 110 and uses it to make outgoing calls. The hacker 101 calls PBX 110, and is thereby connected through LEC 105, IXC network 150, and LEC 109, to the privately-owned PBX 110. Once the hacker has electronically broken into the PBX 110, he can make outgoing calls, from PBX 110 and through IXC network 150, to any long distance destination. These fraudulent calls are often to international destinations, such as telephone 158. However, there are certain characteristics of this type of fraud. First, the hacker 101 usually needs to make repeated short calls to the PBX 110 in order to access the outside trunk line. Second, the fraudulent calls that the hacker 101 makes on the PBX 110 are often to international destinations. Third, once the hacker 101 has access to an outside trunk line on a PBX 110, the hacker 101 usually keeps the line busy for extended periods of time. Fourth, these fraudulent calls are often made during non-business hours, when it is unlikely a business PBX would be unduly busy.
As another example, the hacker 101 may illegally obtain a calling card. In this case, when the hacker 101 makes a call, it is routed through the Intelligent Services Network (ISN) platform 130 for validation, authorization, and connection. If the calling card has not been reported stolen or missing, the call would be processed through the ISN platform 130 and released to the IXC network 150. As with most fraudulent calls, it is likely that the call will terminate at a foreign destination, such as telephone 158. However, once again there are certain characteristics to this type of fraud. First, stolen calling cards are often distributed or resold to a group of people, resulting in a dramatic increase in traffic in a short amount of time on that calling card account. Second, this type of fraud may be perpetrated from certain dialing areas more than other dialing areas. In addition, as with the CPE example, the calls are often to international destinations, and last for extended periods of time.
Although the above examples are not an attempt to create an exhaustive list of the characteristics of fraudulent calling schemes, they do illustrate what an IXC must look for in order to detect fraud. Based on the above characteristics, an IXC can monitor calling patterns for particular behaviors. Below, an exemplary and simplified fraud control system is described. The described system is based upon U.S. Pat. Nos. 5,566,234, 5,596,632, and 5,805,686, which all have the same assignee as the present invention and which all are hereby incorporated by reference.
When reviewing the characteristics of fraudulent behavior described above, it is clear that a fraud control system must closely scrutinize the following calling patterns:
Inbound 800 number calls;
Outbound international calls;
Numerous short duration calls which may indicate that hackers are attempting entry;
Excessively long calls which may indicate that hackers are using inbound trunks to make outbound calls;
An unusual number of calls to foreign countries; and
An unusual number of calls during non-business hours (for accounts associated with businesses).
Furthermore, fraud may be suspected when calls originate from prisons, pay phones, hotels, hospitals, etc. Some originating regions, such as Manhattan, may become suspicious over time, if more fraudulent calls are made from that region than others. The records about such origin points may be scrutinized more carefully. For calls to specific xe2x80x9c800xe2x80x9d numbers or from certain Automatic Number Identifications (ANIs), the following data may be collected:
Total number of short duration calls;
Total number of long-duration calls;
Total number of calls of any type; and
Total number of cumulative minutes from any type of call.
For this type of statistical data, thresholds are established. A threshold is a number which, when exceeded, generates an alarm (or alert) indicating possible fraud. For example, the total number of short duration calls might have a threshold of 100 within a given period of time. If, within that period of time, a 101st call is made, a threshold alert would be generated. Thresholds may be specified for different times, different days of the week, different billing categoriesxe2x80x94in fact, almost any permutation of characteristics can be used to specify a threshold.
Thresholds may also be weighted in order to indicate an increased risk associated with certain calls. When a threshold is weighted, the statistic for that call is multiplied by the assigned risk factor (any number between 1.0 and 100.0). For example, if an outbound call to Cuba is assigned a risk of 2.0, then such a call is counted twice. In this way, the threshold is exceeded more quickly. Risk factors may be assigned to calls to or from specific exchanges, specific countries, specific calling card accounts, etc. As with thresholds themselves, risk factors can be applied to any measurement of traffic characteristics.
There are various records that are used in telecommunications system management and fraud control. A xe2x80x9cbilling numberxe2x80x9dxe2x80x94a billing product and an account number, such as a calling card, pre-paid phone card, etc.xe2x80x94is used to identify a particular account. Within the network itself, detailed information in the form of a Call Detail Record (CDR) is associated with each call made. Certain components within the long distance switched network used by the IXC create and maintain the CDRs, thus allowing billing information to be tracked.
An exemplary and simplified fraud control system is shown in FIG. 2. The network 200 generates CDRs that are collected, along with billing data 210, by a billing software program 220. The billing software program 220 selects relevant CDRs to be sent to the fraud control system 250. What is considered a relevant CDR is determined by previously gathered statistics. For instance, relevant CDRs may be the CDRs associated with all non-residential inbound xe2x80x9c800xe2x80x9d number calls and outbound international calls. This prevents the fraud control system 250 from being overwhelmed with data. Inside the fraud control system 250, the CDR and billing data output of the billing software program 220 enters a fraud data server (FDS) 252. The FDS 252 includes a buffer for holding call records and provides call records to a Threshold Manager (TM) 254. The TM 254 processes call records by reviewing their fields and comparing their fields with the established thresholds. The TM 254 generates alarms when thresholds are exceeded, and transmits these alarms to the FDS 252. The FDS 252 subsequently produces alarm summaries and forwards them to the fraud control workstation 256.
The fraud control workstation 256 provides a graphical user interface for a fraud analyst, who analyzes alarms and general status reports. The workstation 256 has access to the call records buffered in the FDS 252, as well as to billing data and general network CDRs through the FDS 252. In this way, the fraud analyst has full access to all necessary information to make a determination concerning the occurrence of fraud. When a particular threshold alert is analyzed, the history of that billing number is reviewed in order to determine whether or not to deactivate that billing number. The fraud analyst may attempt to contact the owner of the account associated with that billing number in order to resolve the issue. If the fraud analyst decides that the calling card is being used fraudulently, he sets a xe2x80x9cfraud flagxe2x80x9d which indicates that subsequent calls using this billing number should be blocked or intercepted. This whole process may be automated so that a fraud analyst is not needed to actually flag a billing number.
However, there are certain accounts that produce legitimate non-fraudulent but high-volume traffic that resembles fraudulent traffic. For example, a phone sales company that is cold-calling within a certain telephone exchange will generate repeated short calls in a short duration. In the prior art, this traffic would keep setting off the threshold alarms, forcing fraud analysts to repeatedly determine whether the billing number is generating fraudulent traffic. This process wastes the fraud analysts"" time as well as taking them away from analyzing genuinely fraudulent calls.
Therefore, a need exists for a system and method to reduce the alarms generated by non-fraudulent high-volume traffic.
One object of this invention is to provide a system and method of reducing alarms generated by non-fraudulent traffic exceeding thresholds in a fraud control system in a telecommunications network.
Another object of this invention is to provide a system and a method for recognizing and reducing the counts of suspicious but non-fraudulent traffic in a fraud control system in a telecommunications network.
To accomplish the above and other objects, a system and method for suppressing threshold alerts in a telecommunication fraud control system is disclosed. In this system and method, it is determined whether or not a particular account will have alert suppression enabled, based on the type of account and its history. Once alert suppression is enabled, the count is multiplied by a coefficient before determining whether to issue a threshold alert. If the multiplied count exceeds the threshold, an alert is generated. If not, no alert is generated.